
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="zh_Hans">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.8.7 版本发行说明 &#8212; Django 3.2.11.dev 文档</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="索引" href="../genindex.html" />
    <link rel="search" title="搜索" href="../search.html" />
    <link rel="next" title="Django 1.8.6 版本发行说明" href="1.8.6.html" />
    <link rel="prev" title="Django 1.8.8 版本发行说明" href="1.8.8.html" />



 
<script src="../templatebuiltins.js"></script>
<script>
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 3.2.11.dev 文档</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.8.8.html" title="Django 1.8.8 版本发行说明">previous</a>
     |
    <a href="index.html" title="发行说明" accesskey="U">up</a>
   |
    <a href="1.8.6.html" title="Django 1.8.6 版本发行说明">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.8.7">
            
  <div class="section" id="s-django-1-8-7-release-notes">
<span id="django-1-8-7-release-notes"></span><h1>Django 1.8.7 版本发行说明<a class="headerlink" href="#django-1-8-7-release-notes" title="永久链接至标题">¶</a></h1>
<p><em>November 24, 2015</em></p>
<p>Django 1.8.7 fixes a security issue and several bugs in 1.8.6.</p>
<p>Additionally, Django's vendored version of six, <code class="docutils literal notranslate"><span class="pre">django.utils.six</span></code>, has
been upgraded to the latest release (1.10.0).</p>
<div class="section" id="s-fixed-settings-leak-possibility-in-date-template-filter">
<span id="fixed-settings-leak-possibility-in-date-template-filter"></span><h2>Fixed settings leak possibility in <code class="docutils literal notranslate"><span class="pre">date</span></code> template filter<a class="headerlink" href="#fixed-settings-leak-possibility-in-date-template-filter" title="永久链接至标题">¶</a></h2>
<p>If an application allows users to specify an unvalidated format for dates and
passes this format to the <a class="reference internal" href="../ref/templates/builtins.html#std:templatefilter-date"><code class="xref std std-tfilter docutils literal notranslate"><span class="pre">date</span></code></a> filter, e.g.
<code class="docutils literal notranslate"><span class="pre">{{</span> <span class="pre">last_updated|date:user_date_format</span> <span class="pre">}}</span></code>, then a malicious user could
obtain any secret in the application's settings by specifying a settings key
instead of a date format. e.g. <code class="docutils literal notranslate"><span class="pre">&quot;SECRET_KEY&quot;</span></code> instead of <code class="docutils literal notranslate"><span class="pre">&quot;j/m/Y&quot;</span></code>.</p>
<p>To remedy this, the underlying function used by the <code class="docutils literal notranslate"><span class="pre">date</span></code> template filter,
<code class="docutils literal notranslate"><span class="pre">django.utils.formats.get_format()</span></code>, now only allows accessing the date/time
formatting settings.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>漏洞修复<a class="headerlink" href="#bugfixes" title="永久链接至标题">¶</a></h2>
<ul class="simple">
<li>Fixed a crash of the debug view during the autumn DST change when
<a class="reference internal" href="../ref/settings.html#std:setting-USE_TZ"><code class="xref std std-setting docutils literal notranslate"><span class="pre">USE_TZ</span></code></a> is <code class="docutils literal notranslate"><span class="pre">False</span></code> and <code class="docutils literal notranslate"><span class="pre">pytz</span></code> is installed.</li>
<li>Fixed a regression in 1.8.6 that caused database routers without an
<code class="docutils literal notranslate"><span class="pre">allow_migrate()</span></code> method to crash (<a class="reference external" href="https://code.djangoproject.com/ticket/25686">#25686</a>).</li>
<li>Fixed a regression in 1.8.6 by restoring the ability to use <code class="docutils literal notranslate"><span class="pre">Manager</span></code>
objects for the <code class="docutils literal notranslate"><span class="pre">queryset</span></code> argument of <code class="docutils literal notranslate"><span class="pre">ModelChoiceField</span></code>
(<a class="reference external" href="https://code.djangoproject.com/ticket/25683">#25683</a>).</li>
<li>Fixed a regression in 1.8.6 that caused an application with South migrations
in the <code class="docutils literal notranslate"><span class="pre">migrations</span></code> directory to fail (<a class="reference external" href="https://code.djangoproject.com/ticket/25618">#25618</a>).</li>
<li>Fixed a data loss possibility with <a class="reference internal" href="../ref/models/querysets.html#django.db.models.Prefetch" title="django.db.models.Prefetch"><code class="xref py py-class docutils literal notranslate"><span class="pre">Prefetch</span></code></a> if
<code class="docutils literal notranslate"><span class="pre">to_attr</span></code> is set to a <code class="docutils literal notranslate"><span class="pre">ManyToManyField</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25693">#25693</a>).</li>
<li>Fixed a regression in 1.8 by making <code class="docutils literal notranslate"><span class="pre">gettext()</span></code> once again return UTF-8
bytestrings on Python 2 if the input is a bytestring (<a class="reference external" href="https://code.djangoproject.com/ticket/25720">#25720</a>).</li>
<li>Fixed serialization of
<a class="reference internal" href="../ref/contrib/postgres/fields.html#django.contrib.postgres.fields.DateRangeField" title="django.contrib.postgres.fields.DateRangeField"><code class="xref py py-class docutils literal notranslate"><span class="pre">DateRangeField</span></code></a> and
<a class="reference internal" href="../ref/contrib/postgres/fields.html#django.contrib.postgres.fields.DateTimeRangeField" title="django.contrib.postgres.fields.DateTimeRangeField"><code class="xref py py-class docutils literal notranslate"><span class="pre">DateTimeRangeField</span></code></a> (<a class="reference external" href="https://code.djangoproject.com/ticket/24937">#24937</a>).</li>
<li>Fixed the exact lookup of <code class="docutils literal notranslate"><span class="pre">ArrayField</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25666">#25666</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">Model.refresh_from_db()</span></code> updating of <code class="docutils literal notranslate"><span class="pre">ForeignKey</span></code> fields with
<code class="docutils literal notranslate"><span class="pre">on_delete=models.SET_NULL</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25715">#25715</a>).</li>
<li>Fixed a duplicate query regression in 1.8 on proxied model deletion
(<a class="reference external" href="https://code.djangoproject.com/ticket/25685">#25685</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">set_FOO_order()</span></code> crash when the <code class="docutils literal notranslate"><span class="pre">ForeignKey</span></code> of a model with
<code class="docutils literal notranslate"><span class="pre">order_with_respect_to</span></code> references a model with a <code class="docutils literal notranslate"><span class="pre">OneToOneField</span></code>
primary key (<a class="reference external" href="https://code.djangoproject.com/ticket/25786">#25786</a>).</li>
<li>Fixed incorrect validation for <code class="docutils literal notranslate"><span class="pre">PositiveIntegerField</span></code> and
<code class="docutils literal notranslate"><span class="pre">PositiveSmallIntegerField</span></code> on MySQL resulting in values greater than
4294967295 or 65535, respectively, passing validation and being silently
truncated by the database (<a class="reference external" href="https://code.djangoproject.com/ticket/25767">#25767</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.8.7 版本发行说明</a><ul>
<li><a class="reference internal" href="#fixed-settings-leak-possibility-in-date-template-filter">Fixed settings leak possibility in <code class="docutils literal notranslate"><span class="pre">date</span></code> template filter</a></li>
<li><a class="reference internal" href="#bugfixes">漏洞修复</a></li>
</ul>
</li>
</ul>

  <h4>上一个主题</h4>
  <p class="topless"><a href="1.8.8.html"
                        title="上一章">Django 1.8.8 版本发行说明</a></p>
  <h4>下一个主题</h4>
  <p class="topless"><a href="1.8.6.html"
                        title="下一章">Django 1.8.6 版本发行说明</a></p>
  <div role="note" aria-label="source link">
    <h3>本页</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.8.7.txt"
            rel="nofollow">显示源代码</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>快速搜索</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="转向" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">12月 07, 2021</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.8.8.html" title="Django 1.8.8 版本发行说明">previous</a>
     |
    <a href="index.html" title="发行说明" accesskey="U">up</a>
   |
    <a href="1.8.6.html" title="Django 1.8.6 版本发行说明">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>